php跨站攻击实例分析,php跨实例分析
php跨站攻击实例分析,php跨实例分析
本文实例讲述了php跨站攻击的原理与防范技巧。分享给大家供大家参考。具体方法分析如下:
跨站攻击就是利用程序上的一些细节或bug问题进行的,那么我们要如何耿防止跨站攻击呢?下面就以一个防止跨站攻击例子来说明,希望对各位有帮助。
复制代码 代码如下:
#demo for prevent csrf
/**
* enc
*/
function encrypt($token_time) {
return md5('!@##$@$$#%43' . $token_time);
}
$token_time = time();
$token = encrypt($token_time);
$expire_time = 10;
if ($_POST) {
$_token_time = $_POST['token_time'];
$_token = $_POST['token'];
if ((time() – $_token_time) > $expire_time) {
echo “expired token”;
echo “
”;
}
echo $_token;
echo “
”;
$_token_real = encrypt($_token_time);
echo $_token_real;
//compare $_token and $_token_real
}
?>
通过在你的表单中包括验证码,你事实上已经消除了跨站请求伪造攻击的风险。可以在任何需要执行操作的任何表单中使用这个流程
当然,将token 存储到session更好,这里只是简单示例下
简单分析:
token防攻击也叫作令牌,我们在用户访问页面时就生成了一个随机的token保存session与表单了,用户提交时如果我们获取到的token与session不一样就可以提交重新输入提交数据了
希望本文所述对大家的php程序设计有所帮助。
if($rw_uid = intval($rws[0])) { $rw_uid 貌似是 因为判断产生的 跨站脚本攻击漏洞
举例: $_GET['rewrite'] = '123_js';
那么 按判断方式 理想得到的结果是 $_GET['uid'] = 123; $_GET['do'] = 'js';
但是 如果 $_GET['rewrite'] = 'js'; 按照判断 结果就等于 $_GET['do'] = 'js';
这是验证不严格导致的 如果严格要求 闯入的必须是 这种格式 数字_字符串 那么就得严格滤过参数
防范的方式也简单:
1、程序代码漏洞,这需要有安全意识的程序员才能修复得了,通常是在出现被挂马以后才知道要针对哪方面入手修复;
2、也可以通过安全公司来解决,国内也就Sinesafe和绿盟等安全公司 比较专业.
3.服务器目录权限的“读”、“写”、“执行”,“是否允许脚本”,等等,使用经营已久的虚拟空间提供商的空间,可以有效降低被挂马的几率。
我是从事IDC行业的.以上这些也是平时工作中经常遇到的问题.希望我的回答对你有所帮助.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1371
52
CakePHP Project Configuration
Sep 10, 2024 pm 05:25 PM
In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
CakePHP Date and Time
Sep 10, 2024 pm 05:27 PM
To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.
CakePHP Working with Database
Sep 10, 2024 pm 05:25 PM
Working with database in CakePHP is very easy. We will understand the CRUD (Create, Read, Update, Delete) operations in this chapter.
CakePHP File upload
Sep 10, 2024 pm 05:27 PM
To work on file upload we are going to use the form helper. Here, is an example for file upload.
CakePHP Routing
Sep 10, 2024 pm 05:25 PM
In this chapter, we are going to learn the following topics related to routing ?
Discuss CakePHP
Sep 10, 2024 pm 05:28 PM
CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu
CakePHP Creating Validators
Sep 10, 2024 pm 05:26 PM
Validator can be created by adding the following two lines in the controller.
